Thursday, July 07, 2011

maybe we should blame the victim

pardon my iconoclasm, but a twitter conversation with jerome segura and maxim weinstein got me thinking about this. it was sparked by maxim's blog post "stop blaming the victims" where he argued that we shouldn't be blaming people for failing to follow security best practices (such as keeping web servers up to date). personally i consider this to be a form of infantilization. i've argued against coddling users before but i want to expand on the idea here.

the principle and practice of not blaming the users basically sends them the message that they're OK, they didn't do anything wrong, and they can keep doing things the way they have been. this is a marked departure from many of the other messages we send users trying to get them to be more aware of security and to make better decisions in security contexts. that makes the "don't blame the victim" dogma a substantially mixed message. have they really done nothing wrong? often times there are things they could/should have done differently, things they've been told about in the past but still failed to consider. can they be entirely free from responsibility for what happens to them in such a circumstance? i don't believe so. do we really want to send the message that they did nothing wrong and don't have to change? how will we ever get people to take better care of their security if we do that? many people are poorly adapted to the realities of the modern world and if there's no force giving them pushes in the right direction they'll never improve.

more fundamental than that is the fact that victims are victims of the word "victim". by acknowledging someone as a victim we accept and embrace the notion of powerlessness that the word engenders. recognizing people as victims gives them a license to be victims and to remain victims. when someone is taken advantage of we shouldn't be treating them as some helpless and fragile thing, we should be helping them to become empowered so that they don't get taken advantage of again and again and again. by telling them they're helpless victims we rob them of the opportunity to better master their fates and gain confidence in their abilities. perpetuating the notion of the victim keeps the lay-person down.

therefore, not only do i think we should hold people at least partially responsible for the consequences of their actions or inactions (to blame the victim in normal parlance), but i also think we should blame the people who say "don't blame the victim". their well-meaning but ultimately misplaced mollycoddling holds people back and stymies our collective growth and advancement. we can never adapt if we're taught that we can't change our fates.


Sean Sullivan said...

When I think of "don't blame the victim"... I personally mean don't blame the victim for being "stupid" or "lazy". I see lots of security minded folks pointing their finger at people and declaring that they should have more "common sense". I think that's unfair.

Yes, people should patch. But they're also taught to patch on a schedule, e.g. patch Tuesday. Patches sometimes break things, so not only should it be on a schedule, we should also test the patch first, before releasing it to production. Patching too fast and too often will get an IT person fired (no doubt). So there's a real conflict here.

So, yeah, don't blame the "victim" for being stupid and lazy. Examine whether or not they knew to patch on a regular routine. Do chastise them for falling behind schedule. Don't chastise/blame them if the vendor and/or security industry failed to communicate that they should have gone "out-of-cycle".

I read your conversation on Twitter last night, and I think Maxim/Jerome are tired of the assumption that people don't patch because they are "lazy". I agree with them at that level.

I do also agree with you in principle that people shouldn't get a free pass when it comes to making security decisions, but...

I don't think Lee Mathews conclusions that "Laziness is compromising our online security" is entirely fair.

kurt wismer said...

it seems that you and i differ in our opinion of what's "fair". lack of effort and lack of knowledge are both things that are within a person's power to change. those are difficulties people are capable of overcoming, so i'm not going to go around suggesting they don't need to - which is exactly what trying to shield them from their share of the responsibility does.

as for your attribution of meaning to maxim/jerome's arguments, i think their concept of what laziness is lacks nuance. i don't think laziness is just some character flaw and people who exhibit it are somehow 'bad'. i think it's an adaptive behaviour that no longer serves it's purpose for the most part and we as a species need to evolve away from it in order to better cope with the world we live in. without adaptive pressures (such as holding people responsible) such change won't occur.

it's a little like tough love. it's hard but in the long run it's for their own good.

Sean Sullivan said...

Not everything is subject to change. Some stuff is just built-it.

It sounds as if you're suggesting that people might be "lazy" if they see an optical illusion -- magic. I watched a cool segment on Nova Science Now last season with neuroscientists examining just what makes an illusion work. Why does the mind see a ball leap from one hand to another? It's because our brains see the ball as "prey" and it fills in the gaps. Our brains "lie" to us, so that our mind "sees" the prey (and we get to eat).

I think security issues such as social engineering is a form of similar magic. Don't blame the "victim" for not seeing the illusion. It isn't failing to overcome something that's hard, it's being exploited by the way our brain is hardwired to trust.

And I think that addressing whether or not people have been properly trained to update on schedule is not an issue of laziness, but whether or not the training has been properly designed to adjust the formatting of our brains (hardware).

And a LOT of "education" fails at this. We can produce all the advice in the world (software) but it won't change our habits (hardware) without an engineering (lifestyle) approach.

People don't fail to overcome stuff because it's hard, they don't overcome security failings because security education has failed to rebuild them.

kurt wismer said...

those things that are beyond a person's power to change are things i would definitely NOT blame them for. i hoped that was clearly implied, but i guess ambiguity can sneak in anywhere.

physical and mental laziness don't qualify as things that are beyond people's ability to change, however.

the notions of "training" and education failure both ignore the concept of mental laziness - very little will just naturally stick when you throw it at an uncooperative mind, and that 'uncooperativeness' is entirely their responsibility. it's not something a 3rd party has direct control over. maybe you can trick them into being cooperative, or maybe you can coerce cooperation (the model used in schools - doesn't always work and is next to impossible to implement in other settings).

Anonymous said...

It is surprising to me how certain we become after an incident, given how uncertain we are before them.

The bigger problem with blaming the victim is that it alienates them from the people that could help. After all, security pros rarely know the full set of circumstances in those incidents when we place blame.

So, feel free to blame me, because I say (generally) "don't blame the victim."

Pete Lindstrom

kurt wismer said...

i think it depends on how the blame is presented. certainly there are unhelpful ways to do it but there are constructive ways too.

i think it's critically important that people understand that bad things happen (usually) because of something they did or something they should have done but didn't.

not blaming the victim also implies not holding them responsible for the consequences of their actions or inactions. that's not a tenable proposition, as far as i'm concerned.

the practice of abstracting the user out of the system, of trying to delegate all their security-related responsibilities to someone or something else doesn't work. so long as users make decisions that have security implications (and i can't imagine that ever going away) those very same users need to take responsibility for those decisions so that there's some kind of influence that leads them to making progressively better decisions as time goes by.